Kerb-008 Register Service Provider Name and set delegations
You’ll find below the different SPN to register and the delegations to set to run properly the Kerberos configuration in a constraint delegation mode.
Register Service Provider Name
Register SPN service for account as follow:
Enter in command line SETSPN.exe –A <SPN Service>/<Host> <Domain>\<Account>.
Add these SPN VIA ADSI-EDIT =
HTTP/webmoss-srv01 yourdomain\webmoss-srv01
HTTP/webmoss-srv01.yourdomain.net yourdomain\webmoss-srv01
Log on domain with domain administrative credentials and add these SPN VIA SETSPN
REM#################################
REM# WEB host servers #
REM#################################
Setspn.exe -A HOST/webmoss-srv01 yourdomain\webmoss-srv01
Setspn.exe -A HOST/webmoss-srv01.yourdomain.net yourdomain\webmoss-srv01
REM#################################
REM# reporting services #
REM#################################
Setspn.exe -A CIFS/webapp-srv01.yourdomain.net ACC-BI-SSRS@YOURDOMAIN.NET
Setspn.exe -A CIFS/webapp-srv01 ACC-BI-SSRS@YOURDOMAIN.NET
Setspn.exe -A HTTP/BI-SSRS ACC-BI-SSRS@YOURDOMAIN.NET
Setspn.exe -A HTTP/BI-SSRS.yourdomain.net ACC-BI-SSRS@YOURDOMAIN.NET
Setspn.exe -A CIFS/BI-SSRS ACC-BI-SSRS@YOURDOMAIN.NET
Setspn.exe -A CIFS/BI-SSRS.yourdomain.net ACC-BI-SSRS@YOURDOMAIN.NET
REM##################################
REM# Analysis Services data pump Web Sites #
REM##################################
Setspn.exe -A HTTP/BI-WEBSSAS ACC-BI-SSASWEB@YOURDOMAIN.NET
Setspn.exe -A HTTP/BI-WEBSSAS.yourdomain.net ACC-BI-SSASWEB@YOURDOMAIN.NET
Setspn.exe -A CIFS/BI-WEBSSAS ACC-BI-SSASWEB@YOURDOMAIN.NET
Setspn.exe -A CIFS/BI-WEBSSAS.yourdomain.net ACC-BI-SSASWEB@YOURDOMAIN.NET
REM##################################################
REM# SQL / SSAS instance #
REM Check that your SQL instance is 1433 or change it properly #
REM##################################################
Setspn.exe -A MSSQLSVC/sqlssas-srv01.yourdomain.net:1433 ACC-BI-SSAS@YOURDOMAIN.NET
Setspn.exe -A MSSQLSVC/sqlssas-srv01:1433 ACC-BI-SSAS@YOURDOMAIN.NET
Setspn.exe -A MSSQLSVC/BI-SQLSSAS.yourdomain.net:1433 ACC-BI-SSAS@YOURDOMAIN.NET
Setspn.exe -A MSSQLSVC/BI-SQLSSAS:1433 ACC-BI-SSAS@YOURDOMAIN.NET
Setspn.exe -A MSOLAPSVC/sqlssas-srv01.yourdomain.net ACC-BI-SSAS@YOURDOMAIN.NET
Setspn.exe -A MSOLAPSVC/sqlssas-srv01 ACC-BI-SSAS@YOURDOMAIN.NET
Setspn.exe -A MSOLAPSVC/BI-SQLSSAS.yourdomain.net ACC-BI-SSAS@YOURDOMAIN.NET
Setspn.exe -A MSOLAPSVC/BI-SQLSSAS ACC-BI-SSAS@YOURDOMAIN.NET
Setspn.exe -A MSOLAPSVC.3/sqlssas-srv01.yourdomain.net ACC-BI-SSAS@YOURDOMAIN.NET
Setspn.exe -A MSOLAPSVC.3/sqlssas-srv01 ACC-BI-SSAS@YOURDOMAIN.NET
Setspn.exe -A MSOLAPSVC.3/BI-SQLSSAS.yourdomain.net ACC-BI-SSAS@YOURDOMAIN.NET
Setspn.exe -A MSOLAPSVC.3/BI-SQLSSAS ACC-BI-SSAS@YOURDOMAIN.NET
For each domain account service check “Trust for delegation” to specified service (Kerberos).
Click Add button à Computer à Click Advanced button à click Find Now. Select delegation service as describe within data from each line of the table below and click OK button.
| Server | Delegation Service Provider | Delegation from account | Server | Port |
| SQLSSAS-SRV01 | MSSQLSVC | ACC-BI-SSAS@YOURDOMAIN.NET | SQLSSAS-SRV01 SQLSSAS-SRV01.yourdomain.net | 1433 |
| SQLSSAS-SRV01 | MSOLAPSVC.3 | ACC-BI-SSAS@YOURDOMAIN.NET | SQLSSAS-SRV01 SQLSSAS-SRV01.yourdomain.net |
|
For each domain account service check “Trust for delegation” to specified service (Kerberos).
Click Add button à Computer à Click Advanced button à click Find Now.
Select delegation service as describe in table bellow click OK button.
| Accounts | Delegation Service Provider | Delegation from account | Servers or Hosts (DNS & FQDN) | Port |
| ACC-BI-SSRS@YOURDOMAIN.NET | MSSQLSVC | ACC-BI-SSAS@YOURDOMAIN.NET | sqlssas-srv01 sqlssas-srv01.yourdomain.net BI-SQLSSAS BI-SQLSSAS.yourdomain.net | 1433 |
| ACC-BI-SSRS@YOURDOMAIN.NET | MSOLAPSVC.3 | ACC-BI-SSAS@YOURDOMAIN.NET | BI-SQLSSAS BI-SQLSSAS.yourdomain.net |
|
| ACC-BI-SSASWEB@YOURDOMAIN.NET | MSOLAPSVC.3 | ACC-BI-SSAS@YOURDOMAIN.NET | sqlssas-srv01 sqlssas-srv01.yourdomain.net BI-SQLSSAS BI-SQLSSAS.yourdomain.net |
|
| ACC-BI-SSASWEB@YOURDOMAIN.NET | MSSQLSVC | ACC-BI-SSAS@YOURDOMAIN.NET | sqlssas-srv01 sqlssas-srv01.yourdomain.net BI-SQLSSAS BI-SQLSSAS.yourdomain.net | 1433 |
| ACC-BI-SSASWEB@YOURDOMAIN.NET | HTTP | ACC-BI-SSASWEB@YOURDOMAIN.NET | BI-WEBSSAS BI-WEBSSAS.yourdomain.net |
|
| ACC-BI-SSRS@YOURDOMAIN.NET | HTTP, HOST | YOUDOMAIN\webmoss-srv01
| webmoss-srv01 webmoss-srv01.yourdomain.net |
|
| ACC-BI-SSRS@YOURDOMAIN.NET | HTTP, HOST | YOURDOMAIN\webmoss-srv01 | webmoss-srv01 webmoss-srv01.yourdomain.net |
|
| ACC-BI-SSASWEB@YOURDOMAIN.NET | HTTP, HOST | YOURDOMAIN\webmoss-srv01 | webmoss-srv01 webmoss-srv01.yourdomain.net |
|
|
|
|
|
|
|
| ACC-BI-SSASWEB@YOURDOMAIN.NET | CIFS | ACC-BI-SSRS@YOURDOMAIN.NET | webapp-srv01 webapp-srv01.yourdomain.net |
|
| ACC-BI-SSASWEB@YOURDOMAIN.NET | Http, CIFS | ACC-BI-SSRS@YOURDOMAIN.NET | BI-SSRS BI-SSRS.yourdomain.net |
|
| Http, CIFS | ACC-BI-SSASWEB@YOURDOMAIN.NET | BI-WEBSSAS BI-WEBSSAS.yourdomain.net |
| |
|
|
|
|
|
|